Portugal Joins NATO Cyber-Defence Centre

Portugal on Tuesday became the 21st country to join NATO's cyber defence centre, the Tallinn-based body said at a flag-raising ceremony. 

"We are facing adversaries who target our common values in cyberspace: freedom, truth, trust," centre director Merle Maigre said at the ceremony.

"To build resilience we need to come together. That is why I am glad to welcome Portugal as together we are stronger," she added. 

The centre was founded in 2008 in the capital of cyber-savvy Estonia, ranked as having one of the world's highest internet user rates, which itself had come under attack the previous year.

Estonia accused Russia, NATO's old Cold War foe, of being behind the attacks on its official sites and information networks.

At the centre, data experts from across Europe and the United States work to protect the information networks of the Western defence alliance's 29 countries. 

The centre's current members are Austria, Belgium, the Czech Republic, Estonia, Finland, France, Germany, Greece, Hungary, Italy, Latvia, Lithuania, the Netherlands, Poland, Portugal, Slovakia, Spain, Sweden, Turkey, the United Kingdom and the United States.

Australia, Norway and Japan have said they also plan to join.

New Tool Detects Evil Maid Attacks on Mac Laptops

A security researcher has developed a simple tool that helps Mac laptop owners detect unauthorized physical access to their device, also known as an evil maid attack, by monitoring its lid.

The free tool, named DoNotDisturb (DND), was created by Patrick Wardle, co-founder and chief research officer at enterprise macOS security company Digita Security.

Leaving a laptop unattended – for example, leaving it in the hotel room while traveling – puts the device at risk of evil maid attacks. An attacker who has physical access to the targeted device may steal data from it or install malicious software without leaving any obvious evidence behind.

The DND tool attempts to address this issue on Mac laptops by monitoring lid events. A majority of evil maid attacks require the attacker to open the device’s lid. However, there are some types of physical attacks that do not require opening the device’s lid, and the tool works based on the premise that the user closes the device’s lid when leaving it unattended.

DND is a simple tool, but it does include some interesting features and options. Users can configure the app to start at login and run in passive mode, which means it will run silently without any visible alerts. The “No Icon” mode ensures that an icon is not displayed in the macOS/OS X menu bar, making the tool even stealthier.

The main tool installed on the monitored Mac laptop can be paired with an iOS application that allows the user to view alerts and respond. The iOS app can be used to dismiss an alert, take a picture of the individual using the monitored laptop, and remotely shut down the device. While the macOS tool is free, users have to pay a monthly or yearly subscription fee ($9.99 per year) to use the iOS companion for more than one week. The iOS app is optional, but users will not receive alerts and they cannot take any action remotely in case of an attack.

DND can be configured to take specific actions when the device’s lid is opened. For example, it can execute a script or a binary file, or it can start tracking the attacker’s activities, including new processes, new logins, and USB device insertions.

For users who want to keep DND active on their device at all times but do not want the app to trigger an alert whenever they open the laptop’s lid themselves, the tool can be configured to ignore lid events in specific cases. However, this setting requires a newer model Mac laptop that has a touch bar and is running macOS 10.13.4 or newer.

“When this mode is enabled, DND will ignore any lid open events if proceeded by a successful touch ID authentication event within 10 seconds. The idea is that this allows one to tell DND to trust (or ignore) a lid event that is a result of you (vs. somebody else) opening your laptop,” Wardle explained.

Wardle is well known on the Mac hacking scene thanks to the useful apps he has released and the vulnerabilities he has found in both Apple’s own code and third-party software.

Facebook's Sandberg Says Other Cases of Data Misuse Possible

Facebook's Sandberg Says Other Cases of Data Misuse Possible

Sandberg, who joined Facebook in 2008 from Google, has been largely silent since the privacy scandal broke but she gave interviews on Thursday and Friday to National Public Radio and NBC's "Today Show."

"We know that we did not do enough to protect people's data," Sandberg told NPR. "I'm really sorry for that. Mark (Zuckerberg) is really sorry for that, and what we're doing now is taking really firm action."

"Safety and security is never done, it's an arms race," she said. "You build something, someone tries to abuse it."

"But the bigger (question) is, 'Should we have taken these steps years ago anyway?'" Sandberg said. "And the answer to that is yes.

"We really believed in social experiences, we really believed in protecting privacy, but we were way too idealistic," she said. 

"We did not think enough about the abuse cases and now we're taking really firm steps across the board."

Facebook has been scrambling for weeks in the face of the disclosure of the hijacking of private data by the British consulting group working for Donald Trump's 2016 presidential campaign.

'That's on us'

Sandberg said Facebook was first aware two and a half years ago that Cambridge Analytica had obtained user data from a researcher who put up a poll on Facebook.

"When we received word that this researcher gave the data to Cambridge Analytica, they assured us it was deleted," she said. "We did not follow up and confirm, and that's on us — and particularly once they were active in the election, we should have done that."

Sandberg was asked by the "Today Show" if other cases of misuse of user data could be expected.

"We're doing an investigation, we're going to do audits and yes, we think it's possible, that's why we're doing the audit," she said.

"That's why this week we shut down a number of use cases in other areas — in groups, in pages, in events — because those are other places where we haven't necessarily found problems, but we think that we should be more protective of people's data," she told NPR.

Sandberg said that starting Monday, the social network will put on top ot its news feed "a place where you can see all the apps you've shared your data with and a really easy way to delete them."

Sandberg said Facebook also should have been more proactive in dealing with Russian interference in the 2016 presidential election.

"That was something we should have caught, we should have known about," she told NPR. "We didn't. Now we've learned."

"We're going after fake accounts," she told the "Today Show." "A lot of it is politically motivated but even more is economically motivated."

Zuckerberg accepted responsibility this week for the failure to protect user data but maintained he was still the best person to lead the network of two billion users.

He is to appear before a US congressional panel next week to address privacy issues.

Facebook shares were down slightly in mid-morning trading in New York on Friday.

Microsoft Adds New Security Features to Office 365

Microsoft Adds New Security Features to Office 365

Microsoft today announced new protections for Office 365 Home and Office 365 Personal subscribers, aimed at helping them recover files, protect data, and defend against malware.

Courtesy of the newly announced protections, Office 365 Home and Office 365 Personal users can now recover their files after a malicious attack like ransomware, Kirk Koenigsbauer, Corporate Vice President for Office at Microsoft, says.

The new functionality is available through a Files Restore option that has been long available for OneDrive for Business customers. The feature is now available for personal OneDrive accounts and is enabled for both work and personal files.

With the help of Files Restore, users can restore their entire OneDrive to a previous point in time within the last 30 days. The feature should prove highly useful in a variety of situations, ranging from an accidental mass delete to file corruption, ransomware encryption, or another catastrophic event.

To further protect users, Microsoft is bringing ransomware detection and recovery features to Office 365. This feature ensures that ransomware attacks are detected and also helps users restore their OneDrive to a point before files were compromised.

“If an attack is detected, you will be alerted through an email, mobile, or desktop notification and guided through a recovery process where you’ll find the date and time of attack preselected in Files Restore, making the process simple and easy to use. As these threats evolve, we are continuously improving detection capabilities to help keep you safe from the most advanced ransomware,” Koenigsbauer notes.

Microsoft is also retrofitting Office 365 with adding three new capabilities meant to help users keep their data secure and private when sending confidential or personal information online, regardless of whether via email or through sharing a link.

For starters, the software giant is allowing users to set and require a password to access a shared file or folder in OneDrive, thus preventing unauthorized access to their files, provided that the link is accidentally shared with a third-party.

Microsoft is also providing email encryption in Outlook.com, for an added layer of protection. Through end-to-end encryption of messages, the company aims at preventing hackers from intercepting and reading users’ communication.

“Encryption is particularly useful in cases where it is unclear what level of security your intended recipients’ email providers offer. Recipients receive a link to a trusted Office 365 webpage where they can choose to receive a one-time passcode or re-authenticate with a trusted provider before viewing the email,” Koenigsbauer says.

Recipients viewing encrypted emails in Outlook.com, the Outlook for iOS and Android app, or the Windows Mail app do not need to engage in extra steps to read and reply to messages. Outlook.com can also detect sensitive information like social security numbers when a new email is composed, and can provide a suggestion to send with encryption.

Additionally, users can now restrict email recipients from forwarding or copying emails sent from Outlook.com. Moreover, all Office documents attached to these emails are now encrypted even after downloading, meaning that, if they are forwarded to a third party, the recipient won’t be able to open the attachment.

Later this year, Office 365 Home and Office 365 Personal subscribers will also be able to take advantage of advanced link checking in Word, Excel, and PowerPoint. The functionality follows the advanced link checking and attachment scanning added to Outlook.com in October last year in an attempt to keep users protected from previously unseen viruses and phishing scams in real-time.

“Starting later this year, links you click in Word, Excel, and PowerPoint will also be checked in real-time to determine if the destination website is likely to download malware onto your computer or if it’s related to a phishing scam. If the link is suspicious, you will be redirected to a warning screen recommending you don’t access the site,” Koenigsbauer notes.

Intel Discontinues Keyboard App Affected by Critical Flaws

Intel Discontinues Keyboard App Affected by Critical Flaws

Serious vulnerabilities have been found in Intel’s Remote Keyboard application, but the company will not release any patches and instead advised users to uninstall the app.

Introduced in June 2015, the Intel Remote Keyboard apps for Android and iOS allow users to wirelessly control their Intel NUC and Compute Stick devices from a smartphone or tablet. The Android application has been installed more than 500,000 times.

Researchers discovered recently that all versions of Intel Remote Keyboard are affected by three severe privilege escalation flaws.

The most serious of them, rated “critical” and identified as CVE-2018-3641, allows a network attacker to inject keystrokes as a local user. The vulnerability was reported to Intel by a UK-based researcher who uses the online moniker trotmaster.

Another vulnerability, tracked as CVE-2018-3645 and rated “high severity,” was reported to Intel by Mark Barnes. The researcher discovered that Intel Remote Keyboard is affected by a privilege escalation flaw that allows a local attacker to inject keystrokes into another keyboard session.

The third security hole is CVE-2018-3638, which allows an authenticated, local attacker to execute arbitrary code with elevated privileges. Intel has credited Marius Gabriel Mihai for finding this vulnerability.

Intel does not plan on releasing patches for these vulnerabilities. The company has decided to discontinue the product and advised users to uninstall the apps at their earliest convenience. Intel Remote Keyboard has been removed from both Google Play and the Apple App Store.

Intel also published a security advisory this week to warn customers of an important denial-of-service (DoS) vulnerability affecting the SPI Flash component in multiple processors. The flaw was discovered by Intel itself and mitigations are available.

The company also informed users of a privilege escalation flaw in 2G modems, including XMM71xx, XMM72xx, XMM73xx, XMM74xx, Sofia 3G, Sofia 3G-R, and Sofia 3G-RW. The issue impacts devices that have the Earthquake Tsunami Warning System (ETWS) feature enabled.

A network attacker can exploit the vulnerability to execute arbitrary code. “Devices equipped with an affected modem, when connected to a rogue 2G base station where non-compliant 3GPP software may be operational, are potentially at risk,” Intel said.

The company says it has developed patches for this vulnerability.

“External researchers reported a potential security vulnerability in the implementation of the Earthquake and Tsunami Warning System (ETWS) in certain Intel 2G modem firmware implementations. Intel has developed firmware updates that address the issue, and we have been working closely with our customers and partners to deploy the updates to affected products as soon as possible,” Intel told SecurityWeek in an emailed statement.

*Updated with statement from Intel on 2G modem flaws

Windows, macOS Hacked at Pwn2Own 2017

Researchers hacked Windows, macOS, Firefox, Edge, Safari and Flash Player on the second day of the Pwn2Own 2017 competition taking place these days alongside the CanSecWest conference in Vancouver, Canada.

On the first day, participants successfully demonstrated exploits against Edge, Safari, Ubuntu and Adobe Reader, taking home over $230,000 of the $1 million prize pool. On the second day, white hat hackers earned $340,000 for their exploits.

Adobe Flash Player was successfully targeted by both Qihoo360’s 360 Security team and Tencent’s Team Sniper, each earning $40,000 for their exploits. 360 Security used four bugs, while Team Sniper leveraged two use-after-free vulnerabilities.

The Qihoo360 team also managed to break Apple’s macOS operating system, earning $10,000 for a privilege escalation that involved an information disclosure flaw and a race condition in the kernel. The same amount was earned by the Chaitin Security Research Lab team, which elevated privileges on macOS via an information disclosure bug and an out-of-bounds in the kernel.

360 Security also earned $35,000 for hacking Apple’s Safari browser and escalating privileges to root on macOS. Team Sniper was paid the same amount for an exploit chain that achieved the same goal.

The Windows operating system was hacked by both 360 Security and Team Sniper, each taking home $15,000 for exploits that involved out-of-bounds and integer overflow vulnerabilities in the kernel.

Microsoft’s Edge browser was successfully targeted on the second day of Pwn2Own 2017 by two groups from Tencent: Team Sniper and Sword Team. They each received $55,000 for disclosing their exploits.

Mozilla Firefox was hacked by the Chaitin Security team via an integer overflow in the browser and an uninitialized buffer weakness in the Windows kernel for privilege escalation. Moritz Jodeit of Blue Frost Security also targeted Firefox, but failed to complete the exploit chain in the allocated timeframe.

Some of the Tencent teams – the Chinese firm had four teams in the competition – withdrew their entries or were disqualified for not using zero-day vulnerabilities.

Due to the unprecedented number of contestants and entries, some of the exploits will be demonstrated on the third day of the event, when participants will take a crack at Edge, including with a VM escape, and VMware Workstation. Depending on the results, the total amount paid out this year could exceed $800,000, nearly double compared to Pwn2Own 2016. 

Hackers Earn Big Bounties for GitHub Enterprise Flaws

White hat hackers have earned tens of thousands of dollars in bounties after finding serious vulnerabilities in GitHub Enterprise.

GitHub Enterprise is the on-premises version of GitHub.com, for which organizations pay an annual fee of $2,500 for every 10 users. The product promises enterprise-grade security, 24/7 technical support, hosting options, and several administration features not available for GitHub.com.

GitHub Enterprise versions 2.8.5, 2.8.6 and 2.8.7, released in January, patch several flaws rated critical and high severity, including ones that can be exploited to bypass authentication and remotely execute arbitrary code.

The researchers who discovered the vulnerabilities have started making their findings public, and information from GitHub and the experts themselves shows that they earned significant rewards.

GitHub included the Enterprise product in its bug bounty program at the beginning of the year, when it announced that the most severe bugs reported in January and February would also receive bonus rewards.

Two of the vulnerabilities rated critical were identified by Greece-based researcher Ioannis Kakavas. The expert discovered a couple of flaws in the Security Assertion Markup Language (SAML) implementation of GitHub Enterprise, and received a research grant to conduct a full assessment of SAML in GitHub.

Kakavas, who is currently the second best hacker in GitHub’s bug bounty program, earned a total of $27,000 for the flaws he uncovered. He recently published a blog post containing technical details and proof-of-concept (PoC) code.

Another critical flaw was discovered by German bug bounty hunter Markus Fenske. The expert found a weakness in the management console that could have been exploited to execute arbitrary commands on the GitHub Enterprise appliance.

Fenske has received a total of $18,000 for his findings, which includes a $10,000 bounty, the maximum reward offered by GitHub, and an $8,000 bonus.

Researcher Orange Tsai, who last year managed to hack a Facebook server, received $5,000 and a $5,000 bonus for responsibly disclosing a high severity SQL injection vulnerability related to the pre-receive hook APIs used by GitHub Enterprise.

GitHub said there was no evidence that the vulnerabilities identified by Fenske and Kakavas had been exploited in the wild.